K16430721 : IP forwarding vulnerability CVE-1999-0511

Security Advisory Description

IP forwarding is enabled on a machine which is not a router or firewall. (CVE-1999-0511)

Impact

F5 products are not affected by this vulnerability in default configurations. However, Nessus or similar scanning tools may send alerts for BIG-IP systems in the following scenarios:

• You have configured or deployed an IP forwarding virtual server. For more information, refer to K7595: Overview of IP forwarding virtual servers.
• You have configured or deployed an IPsec tunnel. For more information, refer to the BIG-IP TMOS: Tunnels and IPsec manual.

Note: For information about how to locate F5 product manuals, refer to K98133564: Tips for searching AskF5 and finding product documentation.

• You have enabled IP forwarding in the Linux kernel using the sysctl net.ipv4.ip_forward ornet.ipv6.conf.all.forwarding kernel runtime parameters.

Note: This is not a supported configuration for F5 systems.

Certain F5 product features, such as IPsec or IP forwarding virtual servers, are not enabled by default but can be configured to allow traffic to traverse the BIG-IP system as needed to accommodate the requirements of your network environment. As with all system configurations, proper diligence should be observed to ensure that only designated traffic is allowed to use these configurations. F5 does not consider these features to be vulnerabilities, because these features must be enabled and configured before they can be used.